A spear-phishing campaign targeted more than 900 organizations with fake meeting invitations from platforms such as Zoom and Microsoft Teams. The campaign tricks recipients into downloading legitimate remote monitoring and management (RMM) software like ConnectWise ScreenConnect. Those installations grant attackers remote access that enables full system control while producing minimal detection signals. Tactics include compromised legitimate email accounts, AI-generated phishing components, URL obfuscation, and use of trusted file-sharing platforms to host malicious links. Invitations used believable business themes such as "Meeting Invite - 2024 Tax Organizer" to increase engagement. Compromised accounts are then used for lateral phishing, account takeover, and credential harvesting.
To manipulate targets into engaging and downloading ScreenConnect, the attackers employ advanced deception techniques built around impressive impersonations and familiar business contexts, effectively creating workflows that align with end-user expectations,
Specific tactics observed include the utilization of compromised legitimate email accounts, AI-generated phishing components, and strategic URL obfuscation methods, as well as the exploitation of trusted business tools such as file-sharing platforms for hosting malicious links.
Targets are then tricked into installing ScreenConnect through AI-generated landing pages, legitimate file-sharing platforms, direct session links, or executable email attachments. Once installed, ScreenConnect gives the attackers remote access capabilities that enable comprehensive system control equivalent to direct access while avoiding detection due to minimal signal activity.
Collection
[
|
...
]